[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security concerns with minified javascript code

 ❦  2 septembre 2015 09:54 +0200, Samuel Thibault <sthibault@debian.org> :

>> If you talk about Grunt,
> That's what I'm talking about.
>> Grunt comes with a lot of plugins (and does almost nothing without
>> those) and each upstream will require different plugins with different
>> versions (Grunt plugin versions are evolving fast). See the tree I
>> posted for jQuery 3.x in <m3y4gwnern.fsf@neo.luffy.cx>.
> That's precisely what I'm talking about.
>> All this dependency chain is maintained by a variety of upstreams with
>> different release schedules and goals.
> Sure, but apparently the set of plugin versions which fit together is
> known?  I.e. I guess you didn't write the tree by hand?

Yes, but it's only to compile jQuery. If I take another random project,
I will get a different set of plugins.

Or maybe you propose to just ship the whole "node_modules" directory
(which has all the dependencies) with jQuery sources? This would incur
some work on d/copyright and I don't see like this would be a good
practice. But this would solve some of the problems, yes.
Why is it that we rejoice at a birth and grieve at a funeral?  It is because we
are not the person involved.
		-- Mark Twain, "Pudd'nhead Wilson's Calendar"

Attachment: signature.asc
Description: PGP signature

Reply to: